New Zealand Police say the database "will remain offline until we can be reassured by our vendor that the platform is secure." The update wasn't authorized, police say.

The database enables gun owners to notify police of firearms they own and register for compensation under a buy-back program.

New Zealand Police said in an update on Monday afternoon that full details for 35 people were accessed without authorization. The data accessed includes names, addresses, phone numbers, firearms license numbers and bank account details. Another group of people, numbering less than 500, saw their names and addresses accessed, police say.

Police disputed a claim by Council of Licensed Firearms Owner that 19 unauthorirized individuals had accessed data. Only one gun dealer accessed data without authorization, and that person contacted police, they say.

"We have requested this information from COLFO leaders to enable us to establish the facts," according to Deputy Commissioner Mike Clement. "Nothing has been provided to date, but police continues to liaise with COLFO."

COLFO's law firm, Franks Ogilvie, published a statement on Monday confirming that it was investigating claims that the notification system may have been available after police said it was shut down.

The buy-back program was part of an overhaul of the New Zealand's firearms laws following shootings at two mosques in Christchurch on March 15, resulting in 51 deaths.

The next month, with the backing of Prime Minister Jacinda Ardern, New Zealand's Parliament passed laws banning most so-called centerfire semi-automatic guns, certain types of rifles and some pump-action shotguns, amongst other weapons. Those possessing now-banned weapons could be eligible for compensation from the government for turning them over.

One component of the buy-back program was a website where gun owners could notify police of the firearms they hold. Gun owners could also supply their bank account details if they believed they may be eligible for payment. Along with SAP, Microsoft is one of the police's technology partners for the effort.

Wrong Security Profiles

SAP says in a joint statement with police that the error involved security profiles that would have allowed some users "to create citizen records." But the profile was assigned to 66 gun dealers due to human error.

Those errors resulted in one gun dealer accessing prohibited data, who contacted authorities, police say. "We are engaging with the person who has accessed the information to ensure no further information is shared," it says.

A redacted screenshot of the exposed database published by the Council of Licensed Firearms Owners (Source: COLFO)

SAP says it locked all user profiles on the system except for its consultants who were investigating.

"We unreservedly apologize to New Zealand Police and the citizens of New Zealand for this error," the company says. "The security of our customers and their data is of absolute priority to us. A full internal investigation is already underway within SAP."

New Zealand police say the buy-back program will continue but using manual processes.

The country's Privacy Commissioner says police will contact those affected by the breach and that it is "currently working with NZ Police to ensure they are taking steps to protect the personal information they hold."

Exposure Created 'Shopping List'

New Zealand's quick legislative action after its worst mass shooting was endorsed by most, although there was some mild opposition. The database snafu was seized upon by the COLFO, which has contended the new laws were rushed.

"This is a shocking development," says COLFO spokesperson Nicole McKee. "Full details of prohibited firearms, and addresses at which they could be found, have been available online to the public."

The incident shows why a police firearm register can't be trusted, McKee says.. She told The Guardian that the exposure created a "shopping list for criminals."

COLFO alleges that the database error shows that 37,125 gun owners have registered 280,000 now-prohibited weapons. As of Nov. 24, New Zealand Police say they've collected more than 40,000 firearms and nearly 150,000 gun components, paying out more than $75 million. The buy-back period ends Dec. 20.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;